Bug 197079

Summary: Crash in FrameLoader::stopAllLoaders via [WebView dealloc] inside ~ObjCEventListener
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: WebKit APIAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, cdumez, darin, ggaren, mitz
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=197712
Attachments:
Description Flags
Fixes the bug
none
Fixes the bug darin: review+

Description Ryosuke Niwa 2019-04-18 15:48:21 PDT 
Some WebKit clients crash in FrameLoader::stopAllLoaders via [WebView dealloc] inside ~ObjCEventListener while deleting event targets.

<rdar://problem/40888424>
Comment 1 Ryosuke Niwa 2019-04-18 16:02:31 PDT 
Created attachment 367769 [details]
Fixes the bug
Comment 2 Ryosuke Niwa 2019-04-18 16:03:48 PDT 
Created attachment 367770 [details]
Fixes the bug
Comment 3 Darin Adler 2019-04-19 09:59:58 PDT 
Comment on attachment 367770 [details]
Fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=367770&action=review

> Source/WebKitLegacy/mac/DOM/ObjCEventListener.mm:75
> +    // Avoid executing arbitrary code during GC; e.g. inside Node::~Node.
> +    [m_listener.get() retain];
> +    [m_listener.get() autorelease];

Some day we will move to ARC. To be prepared for when we do, it will be much more future-proof to use CFRetain and CFAutorelease, which can be used for this purpose even under ARC. I suggest doing that.

    CFRetain((__bridge CFTypeRef)m_listener.get());
    CFAutorelease((__bridge CFTypeRef)m_listener.get());

To make it cleaner, if this idiom comes up more often, we could add a RetainPtr member function designed for this purpose. Unfortunately, the current RetainPtr::autorelease is not what we want because it compiles to a bridging release under ARC, not an autorelease.
Comment 4 Ryosuke Niwa 2019-04-19 11:46:51 PDT 
(In reply to Darin Adler from comment #3)
> Comment on attachment 367770 [details]
> Fixes the bug
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=367770&action=review
> 
> > Source/WebKitLegacy/mac/DOM/ObjCEventListener.mm:75
> > +    // Avoid executing arbitrary code during GC; e.g. inside Node::~Node.
> > +    [m_listener.get() retain];
> > +    [m_listener.get() autorelease];
> 
> Some day we will move to ARC. To be prepared for when we do, it will be much
> more future-proof to use CFRetain and CFAutorelease, which can be used for
> this purpose even under ARC. I suggest doing that.
> 
>     CFRetain((__bridge CFTypeRef)m_listener.get());
>     CFAutorelease((__bridge CFTypeRef)m_listener.get());
> 
> To make it cleaner, if this idiom comes up more often, we could add a
> RetainPtr member function designed for this purpose. Unfortunately, the
> current RetainPtr::autorelease is not what we want because it compiles to a
> bridging release under ARC, not an autorelease.

Okay, sure, I'll use CF*.
Comment 5 Ryosuke Niwa 2019-04-19 12:01:40 PDT 
Committed r244459: <https://trac.webkit.org/changeset/244459>